aeondave/hashcat
offensive-tools/cracking/hashcat/SKILL.md
Auth/lab ref: GPU-accelerated offline password cracking tool supporting 300+ hash types.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill hashcatInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 3:43 AM178.2s2 files scanned
SKILL.md
- name:
- hashcat
- description:
- Auth/lab ref: GPU-accelerated offline password cracking tool supporting 300+ hash types.
- license:
- MIT
- compatibility:
- Linux, Windows, macOS.
- author:
- AeonDave
- version:
- 1.1
Hashcat
GPU-accelerated offline hash cracker — the standard tool for password recovery in offensive ops.
Quick Start
# Wordlist attack on NTLM hashes
hashcat -a 0 -m 1000 hashes.txt rockyou.txt
# Rule-based wordlist attack
hashcat -a 0 -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Mask brute-force (8-char, uppercase + digits)
hashcat -a 3 -m 1000 hashes.txt ?u?u?u?u?d?d?d?d
Attack Modes
| Mode | Flag | Description |
|------|------|-------------|
| Wordlist | -a 0 | Dictionary attack |
| Combination | -a 1 | Combine two wordlists |
| Brute-force | -a 3 | Mask/charset brute-force |
| Rule-based | -a 0 -r | Wordlist + transformation rules |
| Hybrid | -a 6/-a 7 | Wordlist + mask or mask + wordlist |
Common Hash Types (-m)
| Hash | Mode | Source |
|------|------|--------|
| NTLM | 1000 | Windows SAM / NTDS dump |
| Net-NTLMv1 | 5500 | Responder capture |
| Net-NTLMv2 | 5600 | Responder capture |
| Kerberos 5 TGS (RC4) | 13100 | Kerberoasting |
| Kerberos 5 AS-REP | 18200 | AS-REP roasting |
| MD5 | 0 | Web app, misc |
| SHA1 | 100 | Web app, misc |
| SHA256 | 1400 | General |
| bcrypt | 3200 | Linux /etc/shadow |
| SHA512crypt | 1800 | Linux /etc/shadow |
| WPA-PMKID | 22000 | WiFi |
Mask Characters
| Mask | Charset |
|------|---------|
| ?l | lowercase a-z |
| ?u | uppercase A-Z |
| ?d | digits 0-9 |
| ?s | special chars |
| ?a | all printable (?l?u?d?s) |
| ?b | all bytes 0x00-0xFF |
Core Flags
| Flag | Description |
|------|-------------|
| -a <n> | Attack mode |
| -m <n> | Hash type |
| -w <n> | Workload: 1=low, 2=default, 3=high, 4=insane |
| -O | Optimized kernels (faster, limited pass length) |
| --force | Ignore GPU warnings |
| -r <file> | Rules file |
| --increment | Increment mask length |
| --increment-min <n> | Min mask length |
| --increment-max <n> | Max mask length |
| -o <file> | Output cracked hashes |
| --outfmt <n> | Output format: 2=hash:plain, 3=plain |
| --show | Show cracked hashes from potfile |
| --status | Real-time status |
| --restore | Resume previous session |
| -S | Slow candidates (for rules) |
Common Workflows
# NTLM with rockyou + best64 rules
hashcat -a 0 -m 1000 ntlm.txt rockyou.txt -r best64.rule -O
# Net-NTLMv2 (Responder capture)
hashcat -a 0 -m 5600 netntlm.txt rockyou.txt -r best64.rule
# Kerberoasting TGS
hashcat -a 0 -m 13100 kerberoast.txt rockyou.txt -r one-rule-to-rule-them-all.rule
# AS-REP roasting
hashcat -a 0 -m 18200 asrep.txt rockyou.txt
# Mask brute-force: 8-char, any printable
hashcat -a 3 -m 1000 hashes.txt -1 ?a ?1?1?1?1?1?1?1?1 --increment --increment-min 6
# Combine wordlist + mask (hybrid)
hashcat -a 6 -m 1000 hashes.txt rockyou.txt ?d?d?d
# Show cracked passwords
hashcat -m 1000 hashes.txt --show
Session Management
# Named session (survives interruption)
hashcat -a 0 -m 1000 hashes.txt rockyou.txt --session mysession
# Resume session
hashcat --session mysession --restore
PRINCE Attack (-a 9)
# Requires princeprocessor (pp64.bin)
pp64.bin wordlist.txt | hashcat -a 0 -m 1000 hashes.txt
# Or native (hashcat 6.2+)
hashcat -a 9 -m 1000 hashes.txt wordlist.txt
Combinator Attack (-a 1)
# Concatenate every word from list1 with every word from list2
hashcat -a 1 -m 1000 hashes.txt words1.txt words2.txt
# Add rules to left/right side
hashcat -a 1 -m 1000 hashes.txt words1.txt words2.txt -j '$-' -k 'l'
Resources
| File | When to load |
|------|--------------|
| references/rules-and-masks.md | Rule file reference, mask cookbook, wordlist recommendations, hash extraction commands |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026